TREA

Safety critical control system that includes control logic or machine readable instructions that selectively locks or enables the control system based on one or more machine implemented state machines that includes states associated with detection or matching of one or more predetermined signals on distinct conduction paths between elements of the control system and related methods

Follow

Information

  • Patent Grant
  • 10508055
  • Patent Number
    10,508,055
  • Date Filed
    Thursday, February 2, 2017
    7 years ago
  • Date Issued
    Tuesday, December 17, 2019
    5 years ago
Information
Abstract
This disclosure involves a method of controlling a safety critical control device, the method comprising: sending user inputs to a first state machine, identifying user inputs by the first state machine, determining the correct state to communicate to a second state machine, the correct state being determined by selecting one state of a plurality of states depending on the user inputs, communicating the correct state to a second state machine through a control bus, and determining the correct state for the second state machine based on communication from the control bus.
Description
BACKGROUND

The present invention relates to safety critical control systems. In particular, the invention relates to software and hardware systems and methods that implement a control system for systems that require high reliability and safety.


A life-critical system or safety-critical system is a system whose failure or malfunction may result in death or serious injury to people; loss or severe damage to equipment and/or environmental harm. A variety of approaches have been attempted to increase safety margins and reliability however these approaches have resulted in a variety of disadvantages which result in undesirable first, second, and third order effects.


For example, single signal systems result in a susceptibility to stray voltage activated control inputs and serial control systems result in increased overhead and complexity which can create different failure modes. Increased overhead requires more complex software and control systems such as advanced microprocessors that have to be ruggedized against a variety of environmental threats. Complex software requires substantial resources including time and personnel to write and maintain. Therefore, improvements to existing state of the art control systems are needed to enable use of safety critical control systems in environments where high reliability and simplified implementation are required.


SUMMARY OF THE DISCLOSURE

An exemplary embodiment of the invention can include a safety critical control transmitting and receiving apparatus comprising a transmitter that has a first state machine. The exemplary first state machine further contains a first plurality of identifiable states. The exemplary apparatus also has a receiver that that has a second state machine where the second state machine contains a second plurality of identifiable states. The exemplary apparatus also has a control bus containing a plurality of wires where the control bus electronically couples the first state machine and the second state machine. The exemplary first state machine transmits a specific state to the second state machine through the control bus.


An exemplary embodiment of the invention also can include a method of controlling a safety critical control device. One exemplary method involves sending user inputs to a first state machine, identifying user inputs by the first state machine, determining a correct state to communicate to a second state machine, the correct state being determined by selecting one state of a plurality of states depending on the user inputs, communicating the correct state to a second state machine through a control bus, and determining the correct state for the second state machine based on communication from the control bus.


An exemplary embodiment of the invention can also include an apparatus for controlling a safety critical device that has a control panel that has a plurality of inputs, an activation switch that can maintain an engaged or a disengaged position, a first state machine that is electronically coupled to the control panel and the activation button, a control bus that is electronically coupled to the first state machine, a second state machine that is electronically coupled to the control bus, and a safety critical device that has an engaged position and a disengaged position. In this exemplary apparatus, the safety critical device cannot be engaged without corresponding commands from both the plurality of inputs on the control panel and the activation switch.


Additional features and advantages of the present invention will become apparent to those skilled in the art upon consideration of the following detailed description of the illustrative embodiment exemplifying the best mode of carrying out the invention as presently perceived.





BRIEF DESCRIPTION OF THE DRAWINGS

Further objects and advantages of the present invention will become readily apparent upon reference to the following description of the preferred embodiments and to the accompanying drawings, wherein corresponding reference characters indicate corresponding parts in the drawings and wherein:



FIGS. 1A and 1B depict a safety critical control system in one embodiment of the invention;



FIG. 2 shows another embodiment of a safety critical control system;



FIG. 3 shows one embodiment of a control panel of the safety critical control system of FIGS. 1A and 1B;



FIG. 4 shows one embodiment of a transmitter state machine of the safety critical control system of FIGS. 1A and 1B;



FIG. 5 shows an embodiment of a receiver state machine of the safety critical control system of FIGS. 1A and 1B; and



FIG. 6 shows an embodiment of a control system signal timing configuration of the safety critical control system of FIGS. 1A and 1B.





DETAILED DESCRIPTION OF THE DRAWINGS

The embodiments of the invention described herein are not intended to be exhaustive or to limit the invention to precise forms disclosed. Rather, the embodiments selected for description have been chosen to enable one skilled in the art to practice the invention.


Referring now to FIGS. 1A and 1B, a safety critical control system 1 in accordance with one embodiment of the invention includes a transmitter 5, a control bus 9, and a receiver 11. The transmitter 5 is adapted to receive system control inputs from a user or other control systems (not pictured). The exemplary control bus 9 includes redundant bus lines or wires coupling the transmitter 5 with the receiver 11; the receiver 11 interfaces with a system under control 15. The exemplary control bus 9 comprises wires or lines that are shielded and separated from each other. In this embodiment, the redundant control lines or wires comprise three lines or wires 19, 21, 23 in at least one redundant portion of the system where two out of the three control wires (e.g., 19, 21) carry an inverted logic signal as compared to the signal carried on the third line or wire, e.g., 23. An additional fourth wire or control line can be utilized to communicate fault conditions detected by the receiver to the transmitter, 25.


In particular, the exemplary control bus 9 wiring or control lines comprise a primary 19, secondary 21, and tertiary line 23 which are each adapted to carry a plurality of signals generated by the transmitter 5, one of which indicates a valid activation or control signal. The three wires or control lines 19, 21, 23, 25 comprising the exemplary control bus 9 can be routed in their own wire bundle which can be further protected by a grounded shield (not shown). The wires or control lines 19, 21, 23, 25 can be separated and shielded to reduce risks associated with damage to the bus 9 lines or wires as well as to reduce susceptibility to radiated emissions. The receiver 11 can have a signal processing system having a section adapted to function as a receiving state machine 43 for detecting signal combinations from one or more lines (e.g., 19, 21, 23) in the exemplary control bus 9. One embodiment has a receiver 11 and receiving state machine 43 further adapted to further detect and process signals from at least one system under control 15.



FIG. 2 illustrates how one station 200 can be controlled and powered by the safety critical control system 1. In this embodiment, a power supply subassembly 204 can provide the necessary power to the station 200. Station 200 can include an activation mechanism 202 that is electronically coupled to transmitting state machine 41 (e.g. seen in FIG. 1B). Further, a control panel 208 can be located in a position that is accessible to a user and can contain a plurality of buttons or controls. Control panel 208 can also be electronically coupled to transmitting state machine 41. Transmitting state machine 41 can transmit a signal along the bus 9 that is generated by inputs received from both the control panel 208 and the activation mechanism 202. The bus 9 may further relay the signal to a receiving state machine 43. The receiving state machine 43 can interpret the signal sent by the transmitting state machine 41 through the bus 9 to control a safety critical device 206. The safety critical device 206 may not be activated unless the proper state indicator has been received from the transmitting state machine 41.



FIG. 3 illustrates a control panel 208 that can control a plurality of helicopter external weapon or stores mounting stations (not shown). For example, the control panel 208 can provide for user inputs to arm or disarm a selected weapon or stores mounting, e.g., station four 304, or station seven 306. The control panel 208 can be electronically coupled to both the activation mechanism 202 and the transmitting state machine 41 to communicate the user inputs to the transmitting state machine 41. For example, when one of the stations 304 or 306 has been switched by the user into an armed state, the transmitting state machine 41 may be in a ready to operate state. Further, if the transmitting state machine 41 is in a ready to operate state and the activation mechanism 202 is engaged by the user, the transmitting state machine 41 may enter into an operate state for a duration of a time the activation mechanism 202 is engaged.


Referring to FIG. 4, the exemplary transmitting state machine 41 referenced in FIG. 1B is shown having a plurality of states including a power-up/safe state 45, a fault and/or lock-out state 42, a ready-to-operate (RTO) state 47, and an operate state 49. These states are duplicated in both the transmitter 5 and receiver 11 referenced in FIG. 1B. The exemplary transmitting and receiving state machines 41, 43 are adapted to have transitions from one state to another that require one or more conditions to be satisfied. The exemplary transmitter power-up/safe state 45 of the transmitter 5 occurs when power is applied to the transmitter 5. The exemplary transmitter 5 transitions between the power-up/safe state 45 and the RTO state 47 when inputs to the transmitter 5 (either from other control systems or from the user) equal a predetermined state, e.g., when one of the stations 304 or 306 of the control panel 208 is switched to an armed position. While in the RTO state 47, the transmitter 5 changes the state of the control bus 9 as shown in FIG. 6 with the primary line 19 being driven logic low, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic high. The exemplary transmitter 5 transitions between the RTO state 47 and operate state 49 when inputs to the transmitter 5 (either from other control systems or from the user engaging the activation mechanism 202) equal a predetermined state. While in the operate state 49, the transmitter 5 changes the state of the control bus 9 as shown in FIG. 6 with the primary line 19 being driven logic high, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic low. Additionally, these states must transition to their opposite logic state periodically to remain in the operate state 49. During the operate state 49, the primary line 19 may be delivering a first discrete signal while the secondary 21 and tertiary 23 lines may be delivering a parallel discrete signal to one another, but an inverted discrete signal compared to the primary line 19. For the transmitting state machine 41 to remain in the operate state 49, the discrete and inverted discrete signals can properly transitioning from logic high to logic low state while being monitored by time restraints. For example, if the primary line 19 transitions from the logic high state to the logic low state, the secondary 21 and tertiary 23 lines may have to transition to a logic low state within 10 milliseconds of the transition of the primary line 19 in order to continue operating the safety critical device. The exemplary transmitter 5 cannot transition directly from the power-up/safe state 45 to operate state 49.


In FIG. 4, the exemplary transmitter 5 enters the fault and/or lock-out state 42 when an internal error to the transmitter 5 is detected, other input conditions to the transmitter 5 (either from other control systems or from the user) equal a predetermined state, or the receiver 11 transmits a fault condition to the transmitter 5 via the fault control line 25 on the control bus 9. The fault and/or lock-out state 42 prevents the transmitter 5 from transitioning to any other state until power is cycled to the transmitter 5. The exemplary transmitter power-up/safe state 45 of the receiver 11 occurs when power is applied to the receiver 11.



FIG. 5 illustrates how the exemplary receiver 11 transitions from the power-up/safe state 45 to the RTO state 47 when the control bus 9 transitions to the states shown in FIG. 6 with the primary line 19 being driven logic low, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic high.


Referring to FIG. 5, the exemplary receiver 11 transitions from the RTO state 47 to the operate state 49 when the control bus 9 transitions to the states shown in FIG. 6 with the primary line 19 being driven logic high, the secondary line 21 being driven logic low and the tertiary line 23 being driven logic low. Additionally, during the operate state 19, the primary, secondary, and tertiary lines 19, 21, and 23 can send discrete and inverted discrete signals to the receiver 11. The primary, secondary and tertiary lines 19, 21, and 23 must transition to their opposite logic state periodically within a time constraint to remain in the operate state 49. While in operate state 49, the receiver 11 will permit the system under control 15 to be operated. The exemplary receiver 11 cannot transition directly from the power-up/safe state 45 to the operate state 49.


The exemplary receiver 11 enters the fault and/or lock-out state 42 when an internal error is detected, other input conditions to the receiver 11 equal an unrecognized state, or the control bus 9 does not transition as specified in FIG. 6. The receiver 11 transmits a fault condition to the transmitter 5 via the fault control line 25 on the control bus 9 while in the fault and/or lock-out state 42. The fault and/or lock-out state 42 prevents the receiver 11 from transitioning to any other state until power is cycled to the receiver 11.


While the present invention has been described in connection with the preferred embodiments of the various figures, it is to be understood that other similar embodiments may be used or modifications and additions may be made to the described embodiment for performing the same function of the present invention without deviating therefrom. Therefore, the present invention should not be limited to any single embodiment, but rather construed in breadth and scope in accordance with the recitation of the appended claims.

Claims
  • 1. A method for controlling a safety critical function of a weapon system, the method comprising: receiving, by a control panel, from an operator, an indication to arm the weapon system;in response to the receiving the indication to arm the weapon system, transmitting, by the control panel, a first set of three or more discrete signals to a weapon control device coupled to the weapon system;determining, by the weapon control device, whether each of the first set of three or more discrete signals meet a first set of level requirements;upon determining that each of the first set of discrete signals do not meet the first set of level requirements, inhibiting, by the weapon control device, the weapon system from performing a safety-critical function;upon determining that each of the first set of discrete signals meet the first set of level requirements, entering, by the weapon control device, an armed state;receiving, by the control panel, from the operator, an indication to activate the safety-critical function of the weapon system;in response to the receiving the indication to activate the safety-critical function of the weapon system, transmitting, by the control panel, a second set of three or more discrete signals to the weapon control device coupled to the weapon system, the second set of three or more discrete signals being different from the first set of three or more discrete signals;determining, by the weapon control device, whether each of the second set of discrete signals meet a second set of level requirements;upon determining that each of the second set of discrete signals do not meet the level requirements, inhibiting, by the weapon control device, the weapon system from performing the safety-critical function; andupon determining that each of the set of discrete signals meets the second level requirement and the weapon control device being in the armed state, activating, by the weapon control device, the safety-critical function of the weapon system.
  • 2. The method of claim 1, wherein each of the first set of discrete signals are transmitted via an electrical conductor shared by a corresponding signal of the second set of three or more discrete signals.
  • 3. The method of claim 2, wherein a signal of the second set of three or more discrete signals is a time-varying discrete signal and the second set of level requirements includes timing information for the second set of three or more discrete signals.
  • 4. The method of claim 3, wherein the weapon control device is further configured to inhibit the safety-critical function of the weapon system if the time-varying discrete signal does not periodically change logic levels based on the timing information.
  • 5. The method of claim 1, wherein each of the first set of discrete signals and each of the second set of discrete signals comprise signals from the set of: a constant logic level; anda periodically time-varying logic level, the time-varying at a determined periodicity.
  • 6. The method of claim 1, wherein, in response to determining that each of the first set of discrete signals or each of the second set of discrete signals do not meet either the first set of level requirements or the second set of level requirements, inhibiting, by the weapon control device, the weapon system from performing the safety-critical function.
  • 7. The method of claim 6, wherein, in response to determining that each of the first set of discrete signals or each of the second set of discrete signals do not meet either the first set of level requirements or the second set of level requirements, the weapon control device enters a lock-out state, wherein, while in the lock-out state, the weapon control device inhibits the weapon system from performing the safety-critical function; and wherein the weapon control device remains in the lock-out state regardless of a status of the first set of discrete signals or the second set of discrete signals.
CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a divisional continuation of U.S. Pat. No. 9,599,970, filed Mar. 3, 2014, entitled “SAFETY CRITICAL CONTROL SYSTEM THAT INCLUDES CONTROL LOGIC OR MACHINE READABLE INSTRUCTIONS THAT SELECTIVELY LOCKS OR ENABLES THE CONTROL SYSTEM BASED ON ONE OR MORE MACHINE IMPLEMENTED STATE MACHINES THAT INCLUDES STATES ASSOCIATED WITH DETECTION OR MATCHING OF ONE OR MORE PREDETERMINED SIGNALS ON DISTINCT CONDUCTION PATHS BETWEEN ELEMENTS OF THE CONTROL SYSTEM AND RELATED METHODS” which claims priority to U.S. Provisional Patent Application Ser. No. 61/805,551, filed Mar. 27, 2013, entitled “SAFETY CRITICAL CONTROL SYSTEM AND METHOD,” the disclosures of which are expressly incorporated by reference herein.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

The invention described herein includes contributions by one or more employees of the Department of the Navy made in performance of official duties and may be manufactured, used and licensed by or for the United States Government for any governmental purpose without payment of any royalties thereon. This invention (Navy Case 200,411) is assigned to the United States Government and is available for licensing for commercial purposes. Licensing and technical inquiries may be directed to the Technology Transfer Office, Naval Surface Warfare Center Crane, email: Cran_CTO@navy.mil.

US Referenced Citations (15)
Number Name Date Kind
5880954 Thomson Mar 1999 A
6201997 Giers Mar 2001 B1
6898468 Ott May 2005 B2
6915235 Reeves Jul 2005 B2
7242116 Kawazu Jul 2007 B2
8224501 Lassini Jul 2012 B2
8260487 Plawecki Sep 2012 B2
8375838 Rudakevych Feb 2013 B2
8478478 Macri Jul 2013 B2
8656081 Irizarry Feb 2014 B2
9086688 Law Jul 2015 B2
9803958 Wolfanger Oct 2017 B2
20080121097 Rudakevych May 2008 A1
20130018692 Guo Jan 2013 A1
20130218372 Wolfanger Aug 2013 A1
Non-Patent Literature Citations (3)
Entry
Ye “Justifying the Use of COTS Components within Safety Critical Applications,” Ph.D thesis, University of York, York, England, 2005.
Askerdal et al. “A Control Theory Approach for Analyzing the Effects of Data Errors in Safetly-Critical Control Systems”, 2002 IEEE, 10 pages.
Cullyer “Safety-critical control systems”, 1991, pp. 202-210.
Related Publications (1)
Number Date Country
20170160031 A1 Jun 2017 US
Provisional Applications (1)
Number Date Country
61805551 Mar 2013 US
Divisions (1)
Number Date Country
Parent 14195241 Mar 2014 US
Child 15423507 US